solidus_api 1.1.0.pre1 → 1.1.0.pre2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5f12beb38cf354e9a5e8be4a7a99d9af5b0350fb
-  data.tar.gz: 3afecc41fd1020bf2c75e6b31c69feda1512d5e5
+  metadata.gz: 2fec876f748a73c00b4d7dbf63c2d3270a719ce7
+  data.tar.gz: b63a3f8f6ea3b237dd49057a787b9a2bd0e22afd
 SHA512:
-  metadata.gz: ce431a0a22a1eb8500097691959273d005e1de0c478d9e30532ef9a40df9a8ea4ce54ac9612bdd4a49b711bb369153f8348d014775744438850c6bfe6459dd7a
-  data.tar.gz: 132278ed5df8946142f6fd59715f6f508b8dacf5060775216abfd10aab59ff88090827d3ab629357b2e1c65f65ec6088f5444bb5cf90113c294476e42bb47980
+  metadata.gz: 2f89a236ed244de294c74ac119ce8ff13baf8f657e049d55ca8b32946ffb75b644b25ade0ae7a0e68f9d1233daa61e3e343788683d124af2212c74b6fbad8e84
+  data.tar.gz: d5637fc1f6611d61aeb4e517628da33db9b4335fe95e77e19738ff21cf4d5fe7387f16ccce6c6ecd56f6162f486e8bd293864ea8e7d749084f9425d479217b3a

data/app/controllers/spree/api/address_books_controller.rb

@@ -2,32 +2,53 @@ module Spree
   module Api
     class AddressBooksController < Spree::Api::BaseController
       # Note: the AddressBook is the resource to think about here, not individual addresses
+      before_filter :load_user_addresses
 
       def show
-        render_address_book
+        authorize! :show, address_book_user
+
+        render :show, status: :ok
       end
 
+      # Update a user's address book by adding an address to it or by updating
+      # the associated UserAddress (e.g. making it the default).
+      #
+      # @param user_id [String] the user id of the address book we're updating.
+      # @param address_book [Hash] any key-values permitted by
+      #   permitted_address_book_attributes
+      # @return [Array] *All* of the user's addresses, since the resource here
+      #   is the address book and since we may have mutated other UserAddresses
+      #   (e.g. changed the 'default' flag).  The user's default address will be
+      #   flagged with default=true and the target address from this update will
+      #   be flagged with update_target=true.
       def update
+        authorize! :save_in_address_book, address_book_user
+
         address_params = address_book_params
         default_flag = address_params.delete(:default)
-        address = current_api_user.save_in_address_book(address_params, default_flag)
-        if address.valid?
-          render_address_book
+        @address = address_book_user.save_in_address_book(address_params, default_flag)
+        if @address.valid?
+          render :show, status: :ok
         else
-          invalid_resource!(address)
+          invalid_resource!(@address)
         end
       end
 
       def destroy
-        current_api_user.remove_from_address_book(params[:address_id])
-        render_address_book
+        authorize! :remove_from_address_book, address_book_user
+
+        address_book_user.remove_from_address_book(params[:address_id])
+        render :show, status: :ok
       end
 
       private
 
-      def render_address_book
-        @user_addresses = current_api_user.user_addresses
-        render :show, status: :ok
+      def address_book_user
+        @address_book_user ||= Spree.user_class.find(params[:user_id])
+      end
+
+      def load_user_addresses
+        @user_addresses ||= address_book_user.user_addresses
       end
 
       def address_book_params

data/app/controllers/spree/api/line_items_controller.rb

@@ -37,8 +37,7 @@ module Spree
 
       def destroy
         @line_item = find_line_item
-        variant = Spree::Variant.unscoped.find(@line_item.variant_id)
-        @order.contents.remove(variant, @line_item.quantity)
+        @order.contents.remove_line_item(@line_item)
         respond_with(@line_item, status: 204)
       end
 

data/app/controllers/spree/api/users_controller.rb

@@ -15,6 +15,10 @@ class Spree::Api::UsersController < Spree::Api::ResourceController
   end
 
   def permitted_resource_attributes
-    super | [bill_address_attributes: permitted_address_attributes, ship_address_attributes: permitted_address_attributes]
+    if action_name == "create" || can?(:update_email, user)
+      super | [:email]
+    else
+      super
+    end
   end
 end

data/app/views/spree/api/address_books/show.v1.rabl

@@ -1,4 +1,7 @@
 collection @user_addresses
 node do |user_address|
-  partial("spree/api/addresses/show", object: user_address.address).merge(default: user_address.default)
+  partial("spree/api/addresses/show", object: user_address.address).merge(
+    default: user_address.default,
+    update_target: @address == user_address.address,
+  )
 end

data/app/views/spree/api/shipments/big.v1.rabl

@@ -41,6 +41,13 @@ child order: :order do
 
   child payments: :payments do
     attributes :id, :amount, :display_amount, :state
+    child source: :source do |s|
+      attrs = [:id]
+      if s.respond_to?(:cc_type)
+        attrs << :cc_type
+      end
+      attributes *attrs
+    end
     child payment_method: :payment_method do
       attributes :id, :name
     end

data/app/views/spree/api/variants/big.v1.rabl

@@ -1,7 +1,7 @@
 object @variant
 attributes *variant_attributes
 
-cache [I18n.locale, @current_user_roles.include?('admin'), 'big_variant', root_object]
+cache [I18n.locale, Spree::StockLocation.accessible_by(current_ability).pluck(:id).sort.join(":"), 'big_variant', root_object]
 
 extends "spree/api/variants/small"
 

data/app/views/spree/api/variants/small.v1.rabl

@@ -1,4 +1,4 @@
-cache [I18n.locale, @current_user_roles.include?('admin'), 'small_variant', root_object]
+cache [I18n.locale, 'small_variant', root_object]
 
 attributes *variant_attributes
 

data/config/routes.rb

@@ -107,6 +107,7 @@ Spree::Core::Engine.add_routes do
 
     resources :users do
       resources :credit_cards, only: [:index]
+      resource :address_book, only: [:show, :update, :destroy]
     end
 
     resources :credit_cards, only: [:update]
@@ -134,8 +135,6 @@ Spree::Core::Engine.add_routes do
       end
     end
 
-    resource :address_book, only: [:show, :update, :destroy]
-
     get '/config/money', to: 'config#money'
     get '/config', to: 'config#show'
     put '/classifications', to: 'classifications#update', as: :classifications

data/spec/controllers/spree/api/orders_controller_spec.rb

@@ -226,7 +226,7 @@ module Spree
 
     describe 'GET #show' do
       let(:order) { create :order_with_line_items }
-      let(:adjustment) { FactoryGirl.create(:adjustment, order: order) }
+      let(:adjustment) { FactoryGirl.create(:adjustment, adjustable: order, order: order) }
 
       subject { api_get :show, id: order.to_param }
 

data/spec/controllers/spree/api/shipments_controller_spec.rb

@@ -162,6 +162,25 @@ describe Spree::Api::ShipmentsController, :type => :controller do
             subject
             expect(rendered_shipment_ids).to match_array current_api_user.orders.flat_map(&:shipments).map(&:id)
           end
+
+          context "credit card payment" do
+            before { subject }
+
+            it 'contains the id and cc_type of the credit card' do
+              expect(json_response['shipments'][0]['order']['payments'][0]['source'].keys).to match_array ["id", "cc_type"]
+            end
+          end
+
+          context "store credit payment" do
+            let(:current_api_user) { shipped_order.user }
+            let(:shipped_order)    { create(:shipped_order, payment_type: :store_credit_payment) }
+
+            before { subject }
+
+            it 'only contains the id of the payment source' do
+              expect(json_response['shipments'][0]['order']['payments'][0]['source'].keys).to match_array ["id"]
+            end
+          end
         end
 
         context 'with filtering' do

data/spec/controllers/spree/api/stock_transfers_controller_spec.rb

@@ -46,6 +46,21 @@ module Spree
           end
         end
 
+        context "transfer item does not have stock in source location after ship" do
+          let(:variant_id) { transfer_item.variant.to_param }
+          let(:user) { create :user }
+
+          before do
+            stock_transfer.finalize(user)
+            stock_transfer.ship(shipped_at: Time.now)
+            stock_transfer.source_location.stock_item(transfer_item.variant_id).set_count_on_hand(0)
+          end
+
+          it "can still receive item" do
+            expect { subject }.to change { transfer_item.reload.received_quantity }.by(1)
+          end
+        end
+
         context "transfer item has been fully received" do
           let(:variant_id) { transfer_item.variant.to_param }
 

data/spec/requests/api/address_books_spec.rb

@@ -0,0 +1,222 @@
+require 'spec_helper'
+
+module Spree
+  describe Api::AddressBooksController, :type => :request do
+    let!(:state) { create(:state) }
+    let!(:harry_address_attributes) do
+      {
+        'firstname' => 'Harry',
+        'lastname' => 'Potter',
+        'address1' => '4 Privet Drive',
+        'address2' => 'cupboard under the stairs',
+        'city' => 'Surrey',
+        'zipcode' => '10010',
+        'phone' => '555-5555',
+        'state_id' => state.id,
+        'country_id' => state.country.id
+      }
+    end
+
+    let!(:ron_address_attributes) do
+      {
+        'firstname' => 'Ron',
+        'lastname' => 'Weasly',
+        'address1' => 'Ottery St. Catchpole',
+        'address2' => '4th floor',
+        'city' => 'Devon, West Country',
+        'zipcode' => '10010',
+        'phone' => '555-5555',
+        'state_id' => state.id,
+        'country_id' => state.country.id
+      }
+    end
+
+    context 'as address book owner' do
+      context 'with ability' do
+        it 'returns my address book' do
+          user = create(:user, spree_api_key: 'galleon')
+          user.save_in_address_book(harry_address_attributes, true)
+          user.save_in_address_book(ron_address_attributes, false)
+
+          get "/api/users/#{user.id}/address_book", nil, { 'X-SPREE-TOKEN' => 'galleon'}
+
+          json_response = JSON.parse(response.body)
+          expect(response.status).to eq(200)
+          expect(json_response.length).to eq(2)
+          expect(json_response).to include(
+              hash_including(harry_address_attributes.merge!('default' => true)),
+              hash_including(ron_address_attributes.merge!('default' => false)),
+            )
+        end
+
+        it 'updates my address book' do
+          user = create(:user, spree_api_key: 'galleon')
+          address = user.save_in_address_book(harry_address_attributes, true)
+          harry_address_attributes['firstname'] = 'Ron'
+
+          expect {
+            put "/api/users/#{user.id}/address_book", { address_book: harry_address_attributes.merge('id' => address.id) }, { 'X-SPREE-TOKEN' => 'galleon' }
+          }.to change { UserAddress.count }.from(1).to(2)
+
+          expect(response.status).to eq(200)
+          expect(JSON.parse(response.body).first).to include(harry_address_attributes)
+        end
+
+        context 'when creating an address' do
+          it 'marks the update_target' do
+            user = create(:user, spree_api_key: 'galleon')
+
+            expect {
+              put "/api/users/#{user.id}/address_book", { address_book: harry_address_attributes }, { 'X-SPREE-TOKEN' => 'galleon' }
+            }.to change { UserAddress.count }.by(1)
+
+            user_address = UserAddress.last
+
+            expect(response.status).to eq(200)
+            update_target_ids = JSON.parse(response.body).select { |a| a['update_target'] }.map { |a| a['id'] }
+            expect(update_target_ids).to eq([user_address.address_id])
+          end
+        end
+
+        context 'when updating an address' do
+          it 'marks the update_target' do
+            user = create(:user, spree_api_key: 'galleon')
+            address = user.save_in_address_book(harry_address_attributes, true)
+
+            expect {
+              put "/api/users/#{user.id}/address_book", { address_book: harry_address_attributes }, { 'X-SPREE-TOKEN' => 'galleon' }
+            }.to_not change { UserAddress.count }
+
+            expect(response.status).to eq(200)
+            update_target_ids = JSON.parse(response.body).select { |a| a['update_target'] }.map { |a| a['id'] }
+            expect(update_target_ids).to eq([address.id])
+          end
+        end
+
+        it 'archives my address' do
+          address = create(:address)
+          user = create(:user, spree_api_key: 'galleon')
+          user.save_in_address_book(address.attributes, false)
+
+          expect {
+            delete "/api/users/#{user.id}/address_book", { address_id: address.id }, { 'X-SPREE-TOKEN' => 'galleon'}
+          }.to change { user.reload.user_addresses.count }.from(1).to(0)
+
+          expect(response.status).to eq(200)
+        end
+      end
+    end
+
+    context 'on behalf of address book owner' do
+      context 'with ability' do
+        before do
+          Spree::RoleConfiguration.configure do |config|
+            config.assign_permissions 'Prefect', [Spree::PermissionSets::UserManagement]
+          end
+          create(:user, spree_api_key: 'galleon', spree_roles: [build(:role, name: 'Prefect')])
+        end
+
+        it "returns another user's address book" do
+          other_user = create(:user)
+          other_user.save_in_address_book(harry_address_attributes, true)
+          other_user.save_in_address_book(ron_address_attributes, false)
+
+          get "/api/users/#{other_user.id}/address_book", nil, { 'X-SPREE-TOKEN' => 'galleon'}
+
+          json_response = JSON.parse(response.body)
+          expect(response.status).to eq(200)
+          expect(json_response.length).to eq(2)
+          expect(json_response).to include(
+              hash_including(harry_address_attributes.merge!('default' => true)),
+              hash_including(ron_address_attributes.merge!('default' => false)),
+            )
+        end
+
+        it "updates another user's address" do
+          other_user = create(:user)
+          address = other_user.save_in_address_book(harry_address_attributes, true)
+          updated_harry_address = harry_address_attributes.merge('firstname' => 'Ron')
+
+          expect {
+            put "/api/users/#{other_user.id}/address_book", { address_book: updated_harry_address.merge('id' => address.id) }, { 'X-SPREE-TOKEN' => 'galleon' }
+          }.to change { UserAddress.count }.from(1).to(2)
+
+          expect(response.status).to eq(200)
+          expect(JSON.parse(response.body).first).to include(updated_harry_address)
+        end
+
+        it "archives another user's address" do
+          address = create(:address)
+          other_user = create(:user)
+          other_user.save_in_address_book(address.attributes, false)
+
+          expect {
+            delete "/api/users/#{other_user.id}/address_book", { address_id: address.id }, { 'X-SPREE-TOKEN' => 'galleon'}
+          }.to change { other_user.reload.user_addresses.count }.from(1).to(0)
+
+          expect(response.status).to eq(200)
+        end
+      end
+
+      context 'without ability' do
+        it 'does not return another user address book' do
+          create(:user, spree_api_key: 'galleon')
+          other_user = create(:user)
+          other_user.save_in_address_book(harry_address_attributes, true)
+
+          get "/api/users/#{other_user.id}/address_book", nil, { 'X-SPREE-TOKEN' => 'galleon'}
+
+          expect(response.status).to eq(401)
+        end
+
+        it 'does not update another user address' do
+          address = create(:address)
+          other_user = create(:user)
+          other_user_address = other_user.save_in_address_book(address.attributes, true)
+          create(:user, spree_api_key: 'galleon')
+
+          expect {
+            put "/api/users/#{other_user.id}/address_book", { address_book: other_user_address.attributes.merge('address1' => 'Hogwarts') }, { 'X-SPREE-TOKEN' => 'galleon' }
+          }.not_to change { UserAddress.count }
+
+          expect(response.status).to eq(401)
+        end
+
+        it 'does not archive another user address' do
+          address = create(:address)
+          other_user = create(:user)
+          other_user.save_in_address_book(address.attributes, true)
+          create(:user, spree_api_key: 'galleon')
+
+          expect {
+            delete "/api/users/#{other_user.id}/address_book", { address_id: address.id }, { 'X-SPREE-TOKEN' => 'galleon' }
+          }.not_to change { other_user.user_addresses.count }
+
+          expect(response.status).to eq(401)
+        end
+      end
+    end
+
+
+    context 'unauthenticated' do
+      before do
+        @user = create(:user)
+      end
+
+      it 'GET returns a 401' do
+        get "/api/users/#{@user.id}/address_book"
+        expect(response.status).to eq(401)
+      end
+
+      it 'UPDATE returns a 401' do
+        put "/api/users/#{@user.id}/address_book"
+        expect(response.status).to eq(401)
+      end
+
+      it 'DELETE returns a 401' do
+        delete "/api/users/#{@user.id}/address_book"
+        expect(response.status).to eq(401)
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: solidus_api
 version: !ruby/object:Gem::Version
-  version: 1.1.0.pre1
+  version: 1.1.0.pre2
 platform: ruby
 authors:
 - Solidus Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-09-30 00:00:00.000000000 Z
+date: 2015-11-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: solidus_core
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.0.pre1
+        version: 1.1.0.pre2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 1.1.0.pre1
+        version: 1.1.0.pre2
 - !ruby/object:Gem::Dependency
   name: rabl
   requirement: !ruby/object:Gem::Requirement
@@ -215,7 +215,6 @@ files:
 - lib/spree_api.rb
 - script/rails
 - solidus_api.gemspec
-- spec/controllers/spree/api/address_books_controller_spec.rb
 - spec/controllers/spree/api/addresses_controller_spec.rb
 - spec/controllers/spree/api/base_controller_spec.rb
 - spec/controllers/spree/api/checkouts_controller_spec.rb
@@ -255,6 +254,7 @@ files:
 - spec/features/checkout_spec.rb
 - spec/fixtures/thinking-cat.jpg
 - spec/models/spree/legacy_user_spec.rb
+- spec/requests/api/address_books_spec.rb
 - spec/requests/rabl_cache_spec.rb
 - spec/requests/ransackable_attributes_spec.rb
 - spec/shared_examples/protect_product_actions.rb
@@ -289,7 +289,6 @@ signing_key:
 specification_version: 4
 summary: REST API for the Solidus e-commerce framework.
 test_files:
-- spec/controllers/spree/api/address_books_controller_spec.rb
 - spec/controllers/spree/api/addresses_controller_spec.rb
 - spec/controllers/spree/api/base_controller_spec.rb
 - spec/controllers/spree/api/checkouts_controller_spec.rb
@@ -329,6 +328,7 @@ test_files:
 - spec/features/checkout_spec.rb
 - spec/fixtures/thinking-cat.jpg
 - spec/models/spree/legacy_user_spec.rb
+- spec/requests/api/address_books_spec.rb
 - spec/requests/rabl_cache_spec.rb
 - spec/requests/ransackable_attributes_spec.rb
 - spec/shared_examples/protect_product_actions.rb

data/spec/controllers/spree/api/address_books_controller_spec.rb

@@ -1,60 +0,0 @@
-require 'spec_helper'
-
-module Spree
-  describe Api::AddressBooksController, :type => :controller do
-    render_views
-
-    context "unauthorized user" do
-      it "get 401 on /show" do
-        api_get :show
-        expect(response.status).to eq 401
-      end
-
-      it "get 401 on /update" do
-        api_put :update
-        expect(response.status).to eq 401
-      end
-
-      it "get 401 on /destroy" do
-        api_delete :destroy, address_id: 1
-        expect(response.status).to eq 401
-      end
-    end
-
-    context "authorized user with addresses" do
-      let(:address1) { create(:address) }
-      let(:address2) { create(:address, firstname: "Different") }
-
-      before do
-        stub_authentication!
-        current_api_user.save_in_address_book(address1.attributes, true)
-        current_api_user.save_in_address_book(address2.attributes, false)
-      end
-
-      it "gets their address book" do
-        api_get :show
-        expect(json_response.length).to eq 2
-      end
-
-      it "the first one is default" do
-        api_get :show
-        first, second = *json_response
-        expect(first["default"]).to be true
-        expect(second["default"]).to be false
-      end
-
-      it "can remove an address" do
-        api_delete :destroy, address_id: address1.id
-        expect(json_response.length).to eq 1
-      end
-
-      it "can update an address" do
-        updated_params = address2.attributes
-        updated_params[:firstname] = "Johnny"
-        updated_params[:default] = true
-        api_put :update, address_book: updated_params
-        expect(json_response.first["firstname"]).to eq "Johnny"
-      end
-    end
-  end
-end